Cyber Incident Victim: MarkMonitor
Date:
Feb 2014
Location:
Syria
Summary
The Syrian Electronic Army compromised a domain management service provider, MarkMonitor, gaining unauthorized access to administrative panels for multiple high-profile clients including Facebook, Google, Yahoo, Amazon, eBay, PayPal, Visa, Reuters, and Symantec. The attackers altered domain registry details for one client, modifying registrant email addresses and location information to Syrian credentials before the provider blocked further access and restored original configurations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 6, 2014, the Syrian Electronic Army (SEA) claimed responsibility for compromising domain management provider MarkMonitor in an attempt to alter the domain registrations of multiple high-profile technology companies. The SEA, a hacktivist group supporting Syrian President Bashar Al-Assad, targeted companies including Facebook, Google, Yahoo, Amazon, Visa, Reuters, Symantec, eBay, and PayPal through their attack on MarkMonitor. The group provided screenshots via their official Twitter account showing unauthorized access to MarkMonitor’s administrative panel designated for managing domains of these companies. One screenshot demonstrated the SEA altering Facebook’s domain registration details, changing the registrant email to "Syrian.es.[email protected]," the country to Syria, and the city to Damascus. This incident followed a previous breach on February 2, 2014, when the SEA had compromised eBay and PayPal accounts under MarkMonitor’s management. When questioned whether they reused prior access, the SEA explicitly stated they had hacked MarkMonitor again for this attack. MarkMonitor implemented defensive measures that blocked the SEA from causing more extensive damage, though the group’s screenshots confirmed at least partial success in accessing critical systems.
The immediate impact included unauthorized modifications to Facebook’s domain registration records, though these changes were reverted to their original settings by the time the incident was publicly reported. The SEA’s actions demonstrated their ability to breach a centralized domain management service, potentially enabling broader disruptions to major online platforms. No service outages or additional consequences for end-users were mentioned in the available evidence. MarkMonitor’s containment efforts successfully limited the operational impact, preventing permanent alterations to other clients’ domain records. The incident highlighted the risks posed by third-party service providers in the domain management ecosystem, as compromising MarkMonitor provided access to multiple high-value targets simultaneously. Facebook’s swift restoration of its registrant details indicated coordinated remediation efforts between the affected company and MarkMonitor. The SEA’s public disclosure via Twitter and direct communication with media outlets underscored their intent to publicize the breach as a demonstration of capability rather than to cause persistent technical damage.